08:37 AM
Unlocking the Door to Identity Management
Virtual Centralization
Instead of consolidating its disparate stores of user information as Nationwide plans to do, Prudential Financial ($371 billion in assets, Newark, NJ) virtually manages its databases, centrally. The carrier is able to treat user information as if it is contained in a single database because each employee is assigned a virtual corporate ID, reports Ken Tyminski, chief information security officer, Prudential Financial. For example,Tyminski has the same ID on Prudential's mainframe database as he does on its Windows database, remote access database and VPN database, he explains. ""In most companies, my ID for the payroll system would be different from my ID for the general ledger and that would be different from my Internet and Windows ID."" Through the use of its four-year-old, internally developed ID Manage tool, the carrier cuts down on the time it takes to manage user accounts. ""ID Manage can collect a new user's information and pass it on to all of the systems,"" says Tyminski. Because Tyminski has the same ID throughout the organization, his corporate ID can be easily referenced.
Whether user information is centrally managed virtually or manually, having the ability to quickly and consistently control a user's access across all applications is crucial, especially if an employee is fired. ""Most organizations provide users with the ability to access corporate IT resources remotely,"" says Chris Mullins, compliance solutions director, BindView (Houston). ""If you haven't removed a user from the system by the time they get home from being terminated, you've got a big problem.""
Most carriers handle provisioning manually, and if they are dealing with disparate user information stores, the time it takes to terminate a former employee's access can be lengthy. The META Group study reports the average elapsed time from a request to delete a user's access privileges, to request resolution, is 10 hours. Although the actual time it takes to delete privileges is only about an hour, before user information and privileges can be deleted from manually managed systems, a request usually must pass through the hands of four or five administrators, says Kurt Johnson, vice president of business development, Courion (Framingham, MA).
In order to avoid this lengthy process, Prudential Financial plans to automate the account provisioning of its internal business applications. Currently, through the use of its ID Manage tool, the carrier automates provisioning of access to parts of its infrastructure such as its mainframe, Internet and remote access systems for employees. Automated provisioning of the internal business applications will be handled by a vendor product, and after its implementation, the provisioning for parts of the infrastructure will be moved onto the same provisioning system.
Besides the financial incentives to consolidate passwords, there are some regulatory considerations, as well. The automation of account provisioning, as well as automatic password reset functions, are receiving the renewed attention of health insurers as they move toward HIPAA compliance. In order to be compliant, says PwC's Hunt, health insurers must implement access control in a consistent way throughout their organizations. Also, they must maintain detailed audit trails to resolve questions about who had access to what.
WellPoint Health Networks ($7.4 billion in assets, Thousand Oaks, CA) has bolstered its HIPAA compliance through implementation of Courion's PasswordCourier and ProfileCourier. The tools enable the carrier's 16,000 employees to reset their own passwords and manage personal authentication without having to make calls to the help desk. According to Courion's Johnson, the tools help carriers such as WellPoint move toward HIPAA compliance because they enforce stronger password policies, automatically log all password change activity, and ensure the authentication of persons with access to patient data.
-----------------------------------
3 Steps to ID Consolidation
Through the centralization of their existing identity-management systems, insurers can enhance the accuracy and cost efficiency of user information management and account provisioning. The following, suggests John Hunt, partner, PricewaterhouseCoopers LLP (New York), are steps to centralization:
Form a Strategy.
This consists of pulling together IT security, human resources and representatives from lines of business to talk about how to map identities. At this stage, an authoritative source of identities must be identified.
Ensure the Accuracy of the Authoritative Source.
Make sure there are processes in place to ensure that information is accurate and consistent, because now you are going to be triggering access and information sources off the databases-so you need to make sure that the information is correct.
What Will Your Use-Cases Around Identity Be?
How are you going to grant access for a new employee or customer, and how will you delete access? These processes already exist in organizations, but they need to be tested to see if they can be broken. Then build requirements and look at some of the tools available. Many will let you execute and automate their processes.